Security Bulletin: Vulnerabilities in Ruby affect PowerKVM

Summary

PowerKVM is affected by vulnerabilities in Ruby . IBM has now addressed these vulnerabilities.

Vulnerability Details

CVEID: CVE-2017-17790**
DESCRIPTION:** Ruby could allow a remote attacker to execute arbitrary commands on the system, caused by a flaw in the lazy_initialize function in lib/resolv.rb. By using a Resolv::Hosts::new argument beginning with a ‘’|‘’ character, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/136550 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2017-17405**
DESCRIPTION:** Ruby could allow a remote attacker to execute arbitrary commands on the system, caused by flaws in the Net::FTP. By sending a specially-crafted command, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/136460 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2017-14064**
DESCRIPTION:** Ruby could allow a remote attacker to obtain sensitive information, caused by an issue with using strdup in ext/json/ext/generator/generator.c during a JSON generate call. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to expose arbitrary memory on the affected system.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/131304 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2017-14033**
DESCRIPTION:** Ruby is vulnerable to a denial of service, caused by buffer underrun flaw in the OpenSSL::ASN1 decode function. By sending a specially crafted string, a remote attacker could exploit this vulnerability to cause the interpreter to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/132046 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2017-10784**
DESCRIPTION:** Ruby could allow a remote attacker to bypass security restrictions, caused by a flaw in the WEBrick Basic authentication function. By sending a specially-crafted username, an attacker could exploit this vulnerability to inject escape sequence to the log files.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/132045 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2017-0903**
DESCRIPTION:** RubyGems could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending specially-crafted serialized objects, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/133521 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2017-0902**
DESCRIPTION:** An unspecified vulnerability in RubyGems, bundled by Ruby, could allow a remote attacker to hijack DNS sessions.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/131229 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2017-0901**
DESCRIPTION:** RubyGems, bundled by Ruby, could allow a remote attacker to overwrite arbitrary files on the system, caused by an error in the gem installer. An attacker could exploit this vulnerability to overwrite arbitrary files.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/131232 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2017-0900**
DESCRIPTION:** RubyGems, bundled by Ruby, is vulnerable to a denial of service. By sending a specially crafted query command, a local attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/131231 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-0899**
DESCRIPTION:** An ANSI escape vulnerability in RubyGems, bundled by Ruby, has an unknown impact and attack vector.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/131230 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2017-0898**
DESCRIPTION:** Ruby is vulnerable to a denial of service, caused by a buffer underrun in the Kernel.sprintf method. By persuading a victim to open a specially-crafted application, a remote attacker could exploit this vulnerability to cause the interpreter to crash or access data from the heap.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/132044 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H)

Affected Products and Versions

PowerKVM v3.1

Remediation/Fixes

Customers can update PowerKVM systems by using “yum update”.

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 13.

Workarounds and Mitigations

none